It is common when electronically accessing a service, for authorisation to be required, to identify the party making the access. For example, many bank accounts can be accessed remotely via the Internet. In order for a user to access their bank account, they must supply a username and password, which are used to authorise the identity of the individual to the server that is providing the access to the bank account. The server stores the username (which need not be secure) and either the password or a digest of the password (in a secure manner), and checks the received password against the stored password or digest.
To make the process of authorisation more robust, it is common for passwords to have only a limited lifespan. Once a user chooses a password for the first time, in many systems, that password will only work for a predetermined length of time. This might be ninety days for example. During this period, the user can access the electronic service by using their username and password, but once the limited lifespan has passed, then the password can no longer be used to access the service. At this point, the password has said to have expired, in order for the user to continue to access the desired service, they need to provide a new password to replace the old password.
For example, U.S. Pat. No. 6,826,700 discloses a method and apparatus for a web application server to solicit automatically a new password when an existing password has expired. In this Patent, an apparatus for and method of utilizing an internet terminal coupled to the World Wide Web to access an existing proprietary data base management system having a dialog-based request format is disclosed. The internet terminal transfers a service request to the data base management system, having a password provided as required. When a service request is made having an expired password, the data base management system recognizes the problem. The internet terminal is queried for certain parameters, and the data base management system automatically reassigns a new and unexpired password.
Improvements in the known methods of handling passwords that have expired can be made. Systems such as those described in the Patent above are complicated and not compatible with some existing standards for network communication. Additionally, there is a need for a method of handling expired passwords that support greater flexibility on the client side of the network.
Therefore, there is a need in the art to solve the above aforementioned problems.